I inherited a freeipa cluster, hand cranked and all of that. For some reason, the wrong schema was replicated from a bad server that I was trying to add to the cluster using ipa-replica-install to a working one. 10% of ipa servers are left and I am afraid I may lose them. Before this disaster, a coworker was upgrading freeipa servers using with --skip-version-check. Some servers have 4.9.13-12.module+el8, others have 4.9.13-18.module+el8. the following is a snippet of multiple error lines
ERR - NSACLPlugin - __aclp__init_targetattr - targetattr > “ipauserdefaultsubordinateid” does not exist in schema. Please add > attributeTypes “ipauserdefaultsubordinateid” to schema if necessary. > ERR - NSACLPlugin - acllist_insert_aci_needsLock_ext - ACL PARSE > ERR(rv=-5): (targetattr = "cn > ERR - NSACLPlugin - __aclinit_handler - This ((targetattr = “cn || > createtimestamp || entryusn || ipacertificatesubjectbase || ipaconfigstring > || ipacustomfields || ipadefaultemaildomain || ipadefaultloginshell || > ipadefaultprimarygroup || ipadomainresolutionorder || ipagroupobjectclasses > || ipagroupsearchfields || ipahomesrootdir || ipakrbauthzdata || > ipamaxhostnamelength || ipamaxusernamelength || ipamigrationenabled || > ipapwdexpadvnotify || ipasearchrecordslimit || ipasearchtimelimit || > ipaselinuxusermapdefault || ipaselinuxusermaporder || ipauserauthtype || > ipauserdefaultsubordinateid || ipauserobjectclasses || ipausersearchfields > || modifytimestamp || objectclass”)(targetfilter = > “(objectclass=ipaguiconfig)”)(version 3.0;acl “permission:System: Read > Global Configuration”;allow (compare,read,search) userdn = “ldap:///all”;)) > ACL will not be considered for evaluation because of syntax errors. > ERR - NSACLPlugin - __aclp__init_targetattr - targetattr > “ipaautoprivategroups” does not exist in schema. Please add attributeTypes > “ipaautoprivategroups” to schema if necessary. > ERR - NSACLPlugin - acllist_insert_aci_needsLock_ext - ACL PARSE > ERR(rv=-5): (targetattr = "cn > ERR - NSACLPlugin - __aclinit_handler - This ((targetattr = “cn || > createtimestamp || entryusn || ipaautoprivategroups || ipabaseid || > ipabaserid || ipaidrangesize || ipanttrusteddomainsid || iparangetype || > ipasecondarybaserid || modifytimestamp || objectclass”)(targetfilter = > “(objectclass=ipaidrange)”)(version 3.0;acl “permission:System: Read ID > Ranges”;allow (compare,read,search) userdn = “ldap:///all”;)) ACL will not > be considered for evaluation because of syntax errors. > WARN - NSACLPlugin - acl_parse - The ACL target cn=automember rebuild > membership,cn=tasks,cn=config does not exist > INFO - slapi_vattrspi_regattr - Because krbPwdPolicyReference is a new > registered virtual attribute , nsslapd-ignore-virtual-attrs was set to ‘off’ > ERR - cos-plugin - cos_dn_defs_cb - Skipping CoS Definition cn=Password > Policy,cn=accounts,dc=example,dc=com–no CoS Templates found, which should > be added before the CoS Definition. I am not sure where to begin, I am kind of lost. Help is appreciated.
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
